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STRUCTURED APPROACH FOR 
RISK-INFORMING 
DETERMINISTIC SAFETY 
ANALYSES 

Background of Invention 

[0001] This invention relates generally to nuclear reactors and more particularly to 
structured risk-informed deterministic safety analyses for nuclear reactors. 

[0002] A typical boiling water reactor (BWR) includes a pressure vessel containing a 

nuclear fuel core immersed in circulating coolant water which removes heat from the 
nuclear fuel. The water is boiled to generate steam for driving a steam turbine- 
generator for generating electric power. The steam is then condensed and the water is 
returned to the pressure vessel in a closed loop system. Piping circuits carry steam to 
the turbines and carry recirculated water or feed-water back to the pressure vessel 
that contains the nuclear fuel. 

[0003] 

The BWR includes several conventional closed-loop control systems that control 
various individual operations of the BWR in response to demands. For example a 
control rod drive control system (CRDCS) controls the position of the control rods 
within the reactor core and thereby controls the rod density within the core which 
determines the reactivity therein, and which in turn determines the output power of 
the reactor core. A recirculation flow control system (RFCS) controls core flow rate, 
which changes the steam/water relationship in the core and can be used to change 
the output power of the reactor core. These two control systems work in conjunction 
with each other to control, at any given point in time, the output power of the reactor 
core. A turbine control system (TCS) controls steam flow from the BWR to the turbine 
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based on pressure regulation or load demand. 

[0004] The operation of these systems, as well as other BWR control systems, is 

controlled utilizing various monitoring parameters of the BWR. Some monitoring 
parameters include core flow and flow rate affected by the RFCS, reactor system 
pressure, which is the pressure of the steam discharged from the pressure vessel to 
the turbine that can be measured at the reactor dome or at the inlet to the turbine, 
neutron flux or core power, feed water temperature and flow rate, steam flow rate 
provided to the turbine and various status indications of the BWR systems. Many 
monitoring parameters are measured directly, while others, such as core thermal 
power, are calculated using measured parameters. Outputs from the sensors and 
calculated parameters are input to an emergency protection system to assure safe 
shutdown of the plant, isolating the reactor from the outside environment if 
necessary, and preventing the reactor core from overheating during any emergency 
event. 

[0005] To operate, nuclear reactor power plants are required to be licensed by the 
nuclear regulatory body of the country where the nuclear power plant is located. 
Various postulated transient and accident events are analyzed as part of the nuclear 
power plant licensing process. Currently, a set of postulated transient and bounding 
accident events is defined and analyzed using a deterministic safety analysis 
approach. In the deterministic safety analysis approach, specific analyses are 
performed using prescribed conservative analytical models and assumptions and the 
results compared against defined acceptance criteria. Events outside of this set are 
analyzed using only a probabilistic risk assessment (PRA). 

Summary of Invention 

[0006] 

In one aspect, a risk-informed method for safety analyses of nuclear power 
generating systems is provided. The method includes ordering events by an initiating 
event frequency, defining an initiating event frequency threshold value, defining 
acceptance criteria having an adjusted amount of conservatism, where the amount of 
conservatism is a function of the initiating event frequency, and analyzing an event by 
a deterministic safety analysis methodology when the event has an event initiating 
frequency at or above the threshold value, or analyzing an event by a probabilistic risk 
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assessment methodology when the event has an event initiating frequency below the 
threshold value. 

[0007] In another aspect, a system for performing risk-informed safety analyses of 

nuclear power generating systems is provided. The includes a computer configured to 
order events by an initiating event frequency, define an initiating event frequency 
threshold value, define acceptance criteria having an adjusted amount of 
conservatism, wherein the amount of conservatism is a function of the initiating event 
frequency, and analyze an event by a deterministic safety analysis methodology when 
the event has an event initiating frequency at or above the threshold value, or analyze 
an event by a probabilistic risk assessment methodology when the event has an event 
initiating frequency below the threshold value. 

[0008] In another aspect, a computer program embodied on a computer readable 

medium for performing risk-informed safety analyses of nuclear power generating 
systems is provided. The program including a code segment that orders events by an 
initiating event frequency, defines an initiating event frequency threshold value, 
defines acceptance criteria having an adjusted amount of conservatism, wherein the 
amount of conservatism is a function of the initiating event frequency, and analyzes 
an event by a deterministic safety analysis methodology when the event has an event 
initiating frequency at or above the threshold value, or analyzes an event by a 
probabilistic risk assessment methodology when the event has an event initiating 
frequency below the threshold value. 

Brief Description of Drawings 

[0009] Figure 1 is a schematic diagram of the basic components of a power generating 
system that contains a turbine-generator and a boiling water nuclear reactor. 

[001 0] Figure 2 is a flow chart of a structured risk-informed method for safety analyses 
of nuclear power generating systems in accordance with an embodiment of the 
present invention. 

[001 1] Figure 3 is a graph of events ordered by an initiating event frequency. 
[0012] 

Figure 4 is a graph of the events ordered by an event initiating frequency and an 
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initiating event frequency threshold value. 



[001 3] Figure 5 is a graph of events ordered by an initiating event frequency and showing 
different acceptance criteria. 

[0014] Figure 6 is a graph of events ordered by an initiating event frequency and showing 
different analysis methodology conservatism. 

[001 5] Figure 7 is a graph of events ordered by an initiating event frequency and showing 
the additional failures. 

Detailed Description 

[001 6] A structured risk-informed method for safety analyses of nuclear power 

generating systems is described below in more detail. This method risk-informs 
deterministic nuclear safety analyses. An initiating event frequency is used as the 
basis for determining if the event is to be analyzed using a deterministic safety 
analysis methodology or using a probabilistic risk assessment methodology such as 
that described in Nuclear Regulatory Commission Regulatory Guide 1 .1 74, An 
Approach for Using Probabilistic Risk Assessment In Risk-Informed Decisions On 
Plant-Specific Changes to the Licensing Basis. The initiating event frequency is then 
used to further refine the acceptance criteria and methodology used in the 
deterministic safety analyses. This method can be used for any power generating 
system deterministic analysis area, for example, transient events and loss-of-coolant 
accidents. An initiating event is a spontaneous event that causes a reactor 
abnormality, for example, a broken pipe can result in a loss of coolant in the reactor. 

[001 7] The structured risk-informed method for safety analyses of nuclear power 

generating systems described below in more detail, in an exemplary embodiment, is 
web enabled and is run on a business entity's intranet. In a further exemplary 
embodiment, the method is fully accessed by individuals having authorized access 
outside the firewall of the business entity through the Internet. In another exemplary 
embodiment, the method is run in a Windows NT environment or simply on a stand 
alone computer system having a CPU, memory, and user interfaces. In yet another 
exemplary embodiment, the method is practiced by simply utilizing spreadsheet 
software. 
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[001 8] Figure 1 is a schematic diagram of the basic components of a power generating 
system 8. The system includes a boiling water nuclear reactor 1 0 which contains a 
reactor core 12. Water 14 is boiled using the thermal power of reactor core 12, 
passing through a water-steam phase 1 6 to become steam 1 8. Steam 1 8 flows 
through piping in a steam flow path 20 to a turbine flow control valve 22 which 
controls the amount of steam 1 8 entering steam turbine 24. Steam 1 8 is used to drive 
turbine 24 which in turn drives electric generator 26 creating electric power. Steam 18 
flows to a condenser 28 where it is converted back to water 1 4. Water 1 4 is pumped 
by feedwater pump 30 through piping in a feedwater path 32 back to reactor 1 0. 

Figure 2 is a flow chart of a structured risk-informed method 40 for safety 
analyses of nuclear power generating systems 8 in accordance with an embodiment of 
the present invention. In an exemplary embodiment, risk-informed method 40 
includes ordering 42 events by an initiating event frequency, defining 44 an initiating 
event frequency threshold value, defining 46 acceptance criteria having an adjusted 
amount of conservatism, where the amount of conservatism is a function of the 
initiating event frequency, and analyzing 48 an event by a deterministic safety analysis 
methodology when the event has an event initiating frequency at or above the 
threshold value. Method 40 also includes determining 50 an amount of conservatism 
used in the deterministic safety analysis methodology, identifying 52 additional 
system failures that are not a direct consequence of the initiating event, defining 54 a 
total threshold frequency for the combination of the initiating event frequency and the 
additional failure frequency, and adding 56 additional system failures to the safety 
analysis, one at a time, until a total frequency of an event plus additional failures is 
less than the total threshold frequency when the initiating event frequency is above 
the total threshold frequency. 

[0020] Postulated transient and accident events are categorized in order to determine 

which events will to be analyzed using a deterministic safety analysis methodology or 
using PRA methodology. The events are ordered by initiating event frequency from 
high to low. The event spectrum can be made up from discrete events (for example, 
generator load rejection, turbine trip) or a continuous spectrum (e.g., assumed pipe 
break area for a loss-of-coolant accident). Figure 3 shows an example of initiating 
events ordered by an initiating event frequency. 
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[0021] Next a threshold value, F , for the initiating event frequency is defined. Events 
with initiating frequencies above this threshold value will be analyzed using 
deterministic safety analysis methodologies. Events with initiating frequencies below 
this threshold value will be analyzed with only PRA methodologies. Any suitable value 

can be assigned to F for example, in one embodiment, F is about 10 5 to about 

-7 Tj T -6 -7 

1 0 events per year. In another embodiment, F is about 5x1 0 to 5x1 0 , and 

-6 T 

in another embodiment, F is about 1 0 events per year. Figure 4 is a graph 
showing events ordered by an event initiating frequency and an initiating event 

frequency threshold value. 

[0022] The frequency of core damage is used as the figure of merit in PRA 

methodologies. The acceptance criteria for deterministic safety analyses are typically 
prescribed by regulations or industry standards and include a conservative margin to 
core damage. In an exemplary embodiment, using a risk-informed approach, it is 
possible to determine the appropriate amount of conservatism to be included in the 
deterministic analysis acceptance criteria. The amount of conservatism required can 
be defined as a function of the initiating event frequency. As the likelihood of the 
event increases, the amount of conservatism (or margin to core damage) included in 
the acceptance criteria is also increased. The mathematical relationship between the 
initiating event frequency and the amount of conservatism in the acceptance criteria is 
developed for each application based on a consideration of the relevant phenomena 
and the controlling parameters. Figure 5 shows an example using a step change 
function to define three levels of acceptance criteria. In the example, a first set of 
acceptance criteria 58 is applied to events having initiating frequencies between F_^_ 
and F ^ . This set of acceptance criteria has the least amount of conservatism. A 
second set of acceptance criteria 60 is applied to events having initiating frequencies 
between F ^ and F . Since there is a greater likelihood that events in this group will 
occur than events in the first group, there is more conservatism included in 
acceptance criteria 60 for this group than in acceptance criteria 58 of the first group. 
Similarly, a third set of acceptance criteria 62 is applied to the events having initiating 
frequencies greater than F . 

[0023] | n exemplary embodiment, the conservatism used in the analysis methodology 
(models, inputs, and assumptions) is risk-informed using the same approach as used 
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for defining the acceptance criteria. PRA analyses use realistic methodologies with no 
added conservatism. The conservatism included in the methodologies used for 
deterministic safety analyses is typically prescribed by regulations or industry 
standards. Using the risk-informed approach of the exemplary embodiment, it is 
possible to determine the appropriate amount of conservatism to include in the 
deterministic analysis methodologies. The amount of conservatism required is defined 
as a function of the initiating event frequency. As the likelihood of the event increases, 
the amount of conservatism included in the analysis methodology is also increased. 
The mathematical relationship between the initiating event frequency and the amount 
of conservatism in the analysis methodology is developed for each application based 
on a consideration of the available methodologies, relevant phenomena, and the 
controlling parameters. Figure 6 shows an example using a step change function to 
define three levels of methodologies. In the example, a first methodology 64 is 
applied to events having initiating frequencies between and F ^ . Methodology 64 
has the least amount of conservatism. A second methodology 66 is applied to events 
having initiating frequencies between F ^ and F . Since there is a greater likelihood 
that events in this group will occur than events in the first group, there is more 
conservatism included in methodology 66 applied to this group of events than 
methodology 64 applied to the first group. In a similar fashion, the most conservative 
methodology 68 is applied to the events having initiating frequencies greater than F 
. In the example shown, the initiating event frequency breakpoints, Fl and F2, are 
not required to be the same as the breakpoints used to define acceptance criteria 
regions 58, 60, and 62 described above. Though the process for risk-informed the 
acceptance criteria is the same as the process for risk-informed the analysis 
methodology, the two processes do not have to be applied together. One 
methodology may be used across the event spectrum with the results assessed 
against a varying set of acceptance criteria. Similarly, different methodologies may be 
used across the event spectrum with the results compared against one constant set of 
acceptance criteria. 

[0024] 

Currently, many deterministic safety analyses must also postulate additional 
system failures that are not a direct consequence of the initiating event itself. 
Examples of these postulated failures are loss of offsite power to the plant or the 
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failure of a mitigating system to start when demanded. The requirement for 
postulating the additional failures was included as a means of ensuring that the 
remaining mitigating systems retained sufficient capacity to mitigate the 
consequences of the event but this requirement does not have an explicit risk basis. 
In the exemplary embodiment, the approach for postulating additional failures is risk- 
informed in a manner similar to that used for risk-informed the other aspects of the 
deterministic analyses. A total threshold frequency, F , is defined for the 
combination of the initiating event frequency and the failure frequency. If the 
initiating event frequency is less than F , no additional failures are postulated. If the 
initiating event frequency alone is above F , additional failures are postulated, one at 
a time, until the total frequency (event plus failures) is below F . This approach is 
shown in Figure 7 which is a graph of events ordered by an initiating event frequency 
and showing the additional failures. 

[0025] There may be situations where deterministic analyses must be performed for 

events having initiating frequencies below the threshold value F_^_ . Examples of these 
situations are analyses required by regulation and demonstrations of defense in 
depth. In these situations, the PRA acceptance criteria and methods can be used, the 
acceptance criteria and methodology applied to events just above the threshold value 
as described above can be used, or a combination of these approaches can be used. 

[0026] j| ie a |3 0ve described method 40 of risk-informed deterministic safety analyses is 
applicable to many areas in the nuclear power plant design. Method 40 can be used, 
for example, to determine the minimum emergency core cooling system performance 
characteristics required to mitigate the consequences of loss-of-coolant accidents 
while still maintaining an appropriate degree of safety margin. These performance 
characteristics can then be used as the basis for developing cost effective 
maintenance and testing requirements. Method 40 can also be used for addressing 
material degradation issues for plant life extension and license renewal. Method 40 
can be used to determine transient and accident structural load definitions. The 
resulting risk-informed load definitions are then used to develop the appropriate 
structural repairs for reactor internals affected by material degradation. The risk- 
informed load definitions also are used as the basis for expanding the reactor 
operating range for plants where the range is restricted by overly conservative 
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[0027] 



accident load definitions. 



While the invention has been described in terms of various specific embodiments, 
those skilled in the art will recognize that the invention can be practiced with 
modification within the spirit and scope of the claims. 
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